Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
826
Views
0
Helpful
2
Replies

When connected VPN client cannot access internet?

rechard_hk
Level 1
Level 1

‎08-06-2010 02:53 AM

Dear All,

I would like to ask you some question about VPN client as below that:

on my system i have ASA 5520 and switch 3560. on cisco switch 3560 i do Vlan.


on configure VPN client i can connect to ASA 5520 but i have some problem:

1- when Client connected already, so my PC cannot access internet but i can ping to local. so what is the problem?

2-when client connected already, my PC (outside that use VPN client ) can ping some Vlan but my configuration allow access already but i don't know that wrong?

Please help to solve my issue!!!

Best Regards,

Rechard

Labels:
0 Helpful
2 Replies 2

Jason Gervia
Cisco Employee
Cisco Employee

‎08-06-2010 05:33 AM

Hello,

It doesn't sound like you have split tunneling configured correctly:  ie, when you connect, all traffic (including internet) *has* to go over the VPN, and unless you configure it properly there, it won't get sent out to the internet.


The easiest way to fix this is to only send traffic behind the VPN firewall over the VPN, and let your internet connectivity use your local connection without going over the VPN.  This is called split tunneling.  Try configuring it using the link below.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml

If you still have problems, try attaching the configuration of your firewall to you next message and we'll take a look at what could be happening.

--Jason

0 Helpful

Nagaraja Thanthry
Cisco Employee
Cisco Employee

‎08-06-2010 05:56 AM

Hello,

Sounds like you do not have an outside nat configuration line on the

firewall. Please try the following:

global (outside) 1 interface -- You can use the existing global

nat (outside) 1

same-security-traffic permit intra-interface

This will ensure that the internet traffic gets Hair-pinned and sent to

internet.

Hope this helps.

Regards,

NT

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents